Security

ejabberd:將 Diffie-Hellman (DH) 密碼位大小設置為 >= 2048

  • February 9, 2016

在現代版本中,ejabberd可以通過為. 我以三種不同的方式創建了不同的此類 DH 參數 pem 文件:dhfile``s2s_dhfile``ejabberd.yml

openssl dhparam -out dh.pem 2048
openssl dhparam -out dh.pem 4096
openssl genpkey -genparam -algorithm DH -out dhp4096.pem -pkeyopt dh_paramgen_prime_len:4096

將它們放入/etc/ejabberd/並相應地配置 ejabberd:

hosts:
 - "somehost.tld"

access:
 announce:
   admin: allow
 c2s:
   blocked: deny
   all: allow
 c2s_shaper:
   admin: none
   all: normal
 configure:
   admin: allow
 local:
   local: allow
 max_user_offline_messages:
   admin: 100
   all: 100
 max_user_sessions:
   all: 10
 muc:
   all: allow
 muc_admin:
   admin: allow
 pubsub_createnode:
   all: allow
 register:
   all: allow
 s2s:
   all: allow
 s2s_shaper:
   all: fast

acl:
 admin:
   user:
     -
       "admin": "somehost.tld"
 local:
   user_regexp:
     - ""

 blocked:
   user:
     - "reklama": "sj.ms"
     - "cc6523": "tigase.im"
     - "reklama403": "kdetalk.net"
     - "pp241331": "kdetalk.net"
     - "advertising": "bin.vc"
     - "swiped_su6070": "debianforum.de"

auth_method: odbc
odbc_database: "ejabberd"
odbc_keepalive_interval: 3600
odbc_password: "YZucuq3vSdfPDnzs"
odbc_port: 3306
odbc_server: "127.0.0.1"
odbc_type: mysql
odbc_username: "ejabberdusr"

captcha_cmd: "/usr/lib/x86_64-linux-gnu/ejabberd/priv/bin/captcha.sh"
captcha_host: "http://somehost.tld:5280"
captcha_limit: 5

language: "en"

define_macro:
 'TLS_CIPHERS': "ECDH:DH:!CAMELLIA128:!3DES:!MD5:!RC4:!aNULL:!NULL:!EXPORT:!LOW:!MEDIUM"

listen:
 -
   port: 5222
   module: ejabberd_c2s
   certfile: "/etc/ejabberd/cert/somehost.tld.pem"
   dhfile: "/etc/ejabberd/dhp4096.pem"
   starttls: true
   starttls_required: true
   stream_management: true
   max_ack_queue: 1000
   resend_on_timeout: true
   max_stanza_size: 65536
   shaper: c2s_shaper
   access: c2s
   protocol_options:
     - "no_sslv3"
   ciphers: 'TLS_CIPHERS'
   resend_on_timeout: if_offline
   zlib: true
 -
   port: 5269
   module: ejabberd_s2s_in
   transport: tcp
   max_stanza_size: 131072
   shaper: s2s_shaper
 -
   port: 5280
   module: ejabberd_http
   web_admin: true
   captcha: true

loglevel: 2
max_fsm_queue: 1000

modules:
 mod_adhoc: []

 mod_announce:
   access: announce

 mod_blocking: {} # requires mod_privacy
 mod_caps: []
 mod_carboncopy: {}
 mod_configure: []
##  mod_admin_extra: []
 mod_disco: []
 mod_irc: []
 mod_last: []

 mod_muc:
   host: "muc.@HOST@"
   access: all
   access_create: all
   access_persistent: all
   access_admin: muc_admin
   max_users: 500
   history_size: 1000
   default_room_options:
     allow_change_subj: true
     allow_private_messages: true
     allow_private_messages_from_visitors: anyone
     allow_query_users: false
     allow_user_invites: true
     allow_visitor_nickchange: true
     allow_visitor_status: true
     anonymous: false
     captcha_protected: false
     logging: true
     max_users: 200
     members_by_default: true
     members_only: false
     moderated: false
     password_protected: false
     persistent: false
     public: true
     public_list: true

 mod_muc_log:
   access_log: muc_admin
   dirname: room_name
   dirtype: subdirs
   file_format: html
   outdir: "/var/www/muc"
   spam_prevention: false
   timezone: local
   top_link:
     "/": "Jedem das Seine."

 mod_offline:
   access_max_user_messages: max_user_offline_messages

 mod_ping: {}
 mod_privacy: []
 mod_private: []
##  mod_proxy65:
##    access: all
##    shaper: c2s_shaper
 mod_pubsub:
   access_createnode: pubsub_createnode
   pep_sendlast_offline: false
   last_item_cache: false
   plugins:
     - "flat"
     - "hometree"
     - "pep"

 mod_register:
   welcome_message:
     subject: "Welcome!"
     body: "Welcome"
   captcha_protected: true
   access: register

 mod_roster: []
 mod_shared_roster: {}
 mod_stats: []
 mod_time: []
 mod_vcard: []
 mod_version: []

 mod_mam:
   db_type: odbc
   default: never

registration_timeout: 600
outgoing_s2s_port: 5269
outgoing_s2s_timeout: 10000
s2s_access: s2s
s2s_certfile: "/etc/ejabberd/cert/somehost.tld.pem"
s2s_dhfile: "/etc/ejabberd/dhp4096.pem"
s2s_use_starttls: required
s2s_protocol_options:
 - "no_sslv3"
s2s_ciphers: 'TLS_CIPHERS'
shaper:
 normal: 1000
 fast: 50000
watchdog_admins:
 - []
auth_password_format: plain
fqdn: "somehost.tld"

這些 DH-params 文件都沒有工作。XMPP.net測試工具仍然警告:

Server uses Diffie-Hellman parameters of < 2048 bits. Grade capped to B.

並且在“密碼”部分中1024確實有 bitsize,而不是2048or 4096在此處輸入圖像描述

這是我和我的配置還是 XMPP.net 工具?我如何自己檢查 DH 位大小?

該伺服器執行來自測試儲存庫的Debian 8.2 “Jessie”穩定版)和ejabberd 15.09

罪魁禍首被發現:Diffie-Hellman 參數由erlang-p1-tls. 因此,當您ejabberdtesting儲存庫升級到版本時,您也應該將erlang-p1-tls包升級到testing的版本!

sudo apt-get install erlang-p1-tls/testing

實際上,要讓測試版的 ejabberd 在**穩定的Debian上正常工作,也需要將所有erlang-*軟體包更新到測試版。

引用自:https://serverfault.com/questions/731394